The way apache is set up by default is not to serve up .ht* files. You can unset this in httpd.conf here:

The following lines prevent .htaccess files from being viewed by

Web clients. Since .htaccess files often contain authorization

information, access is disallowed for security reasons. Comment

these lines out if you want Web visitors to see the contents of

.htaccess files. If you change the AccessFileName directive above,

be sure to make the corresponding changes here.

#

Also, folks tend to use names such as .htpasswd for password

files, so this will protect those as well.

#
<Files ~ "^.ht">
Order allow,deny
Deny from all
Satisfy All
</Files>

Remove that stanza and it will serve up the .ht files. This really is a bad idea since anyone can download these files. If your password file is .htpasswd like most people, I can download it and run a brute force password attack againt it on my local system without you even knowing. You should try something other than http for this.

Couldn't you access the server using php's ftp functions. Download the file, modify it and then upload it again?

I tried automating management of the .htpasswd file a long time ago, I seem to remember it taking a long time to figure out how to get the passwords correctly encrypted so that the whole htaccess system would no throw up 'wrong password'.

If I remember correctly the passwords are md5 hashed, but the md5 hash function in php produced different output to the md5 hash used by whatever program it was which produced the .htpasswd file. I think there is a php application on freshmeat.net which does .ht* management.

here's the link:

http://freshmeat.net/projects/class.htpasswd.php3/?topic_id=809

The guy writes code with attitude.

Thankyou everyone for your help. I will tell why I need this and what it has to do.

I am setting up as micropayment provider. I will be signing up websites to my system when a user wants to access their website they send an sms (text message) message to my specified number. The message is routed through to my server where I process the request.

What happen in the process is that a password is created and then needs to be placed into the website that originated the message .htpasswd file. Once that is done my server then send a message back to the users mobile phone with the password included in the message. They are at that point charged for the message recived and they can then use the password to access the said website.

What I need is the way to do that.

Aaron

You will most likely have to place a script on the server where the htpasswd file resides and call that with the information needed to write the user/pass to the file. This is extremely insecure so you might have trouble talking the people who run the server into allowing you to do this. Also if you aren't using SSL all this information you are passing is going out as plain text, so a simple packet sniffer looking at your system will get everything you send out.

I have a similar system setup on my site at the moment

<?
//------------------------------------------------------------------------------
// Author: S. Kallemein
// 2002 Copyright(c) Mobile Bridges
//------------------------------------------------------------------------------
// Add a username/password the password file or
// Delete  username(s) from the password
//------------------------------------------------------------------------------
// Parameters:
// $username        : username
// $passwd          : password
//------------------------------------------------------------------------------
// returns: 
// OK      - Succesfully added/deleted the username/password
// FAILED  - insert into the table failed.
//------------------------------------------------------------------------------
header ("Pragma: no-cache");
header ("Expires: -1");

$passfile    ='/<path_to_passwordfile>/.htpasswd';

//------------------------------------------------------------------------------
// Author: S. Kallemein
// 2002 Copyright(c) Mobile Bridges
//------------------------------------------------------------------------------
// Delete  username(s) from the password
//------------------------------------------------------------------------------
// Parameters:
// $user            : username
//------------------------------------------------------------------------------
// returns: 
// OK      - Succesfully deleted the username/password
// FAILED  - access to passfile denied
//------------------------------------------------------------------------------
function DeleteUser($u)
{
	global $passfile;

$allusers=file($passfile);
$done=0;
$newusers='';
foreach($allusers as $line)
{
    $line=trim($line);
    list($user,$pass)=split(':',$line);
    if($user!='' && strcmp($u,$user)!=0)
    {
       $newusers.="$line\n";
	}
    else $done++;
}
if($done)
{ 
    if($fpass=fopen($passfile,'w'))
    {
        flock($fpass,2);
        fputs($fpass,$newusers);
        ftruncate($fpass,ftell($fpass));
        fclose($fpass);
        echo "OK";
    }
 	else echo "FAILED, ACCESS TO PASSFILE DENIED";
}
}


if(($username=='' || $username=='?') && $passwd=='') {
	echo "FAILED";
	exit();
}

 DeleteUser($username);
 if($p!='')
 {
     // Add user
     if($h=fopen($passfile,'a'))
     {
        $pw=crypt($passwd);
        fputs($h,"$username:$pw\n");
        fclose($h);
        echo "OK";
     }
     else echo "FAILED, ACCESS TO PASSFILE DENIED";
 }
?>

In my .htaccess file I stop any access to my directory appart from the ip address of the company providing the service. I had no problems with the way this is done and quite a few other sites do not as well.

Please provide feedback im unsure though how to access the file above from my server?